Stand and deliver – your money or your (computer) life

28 03 2016

Ransomware. It’s been around for a few years now but in the last 6 months or so it’s really hit the mainstream press, and therefore entered the consciousness of the ‘ordinary person’. Recent high profile cases include a couple of hospitals in the US, a police station and a local authority in the UK.

Before I go into the details and explore what you can, or more likely can’t, do to protect yourself, I think it’s worth taking a step back and looking at the so called ‘underground economy’ of cyber crime.

Back in the day, the bad guys in the computer world were generally loners who did what they did for kicks and credibility amongst their peers. Very irritating, occasionally brilliant and generally disorganised.

That changed once it became clear that there was money to be made from what has come to be known as cybercrime. The professionals moved in as organised crime saw it as another lucrative string to their bow, promising low risk and high returns. Along with the increased organisation and the massive amounts of money, came demands for structure, specialists, quality control and co-ordination as well as the incessant demand for more and better products.

Nowadays a complete ecosystem is in place that is at least as organised as the mainstream legitimate economy. There are market places for the sale and exchange of everything from software to stolen credit cards. Code comes with money back guarantees, free trials, help manuals and even help desks. Every aspect of the economy has specialists who only focus on what they do best and hand on to the next person in the chain when their part is complete.

Into this mix comes ransomware.

Ransomware is, to put it in simple terms, a piece of computer code that you inadvertantly download to your PC. It might infect your PC via an email attachment, a website or even from an advert you click on. However it gets in, it has one purpose, to encrypt your files, and once those files are encrypted they will stay encrypted unless you can obtain the decryption key. And here’s the clever bit, in exchange for a fee usually in bit coins the bad guys will send you the decryption key.

The first you will probably know about it is a screen that will pop up on your computer looking something like this which is from Cryptolocker,

blog-cryptolocker

but they are all pretty much the same. At that point you have three choices:

  1. Restore your files from the backup (you do have backups don’t you?)
  2. Pay the fee
  3. Accept you have lost the files for ever and just move on.

Option 1 is fine as long as the backups are not accessible from the PC and the ransomware has not already found them and encrypted them as well. Assuming they are OK you simply need to disinfect your PC by running up to date antivirus software (the av software usually runs a day or so behind new ransomware so it might not work immediately – check online), delete the encrypted files and restore from your backups.

Option 2 is not ideal for a couple of reasons. Firstly the current fee is around 4 Bit Coins, which at time of press is about $700. For a company, that might be a small price to pay, for the audience of this blog it’s a not inconsiderable amount. Secondly, whilst it’s in the interest of the bad guys to make the process work, there are a number of reasons why it could fail. There might be an error in their code, there might be a problem with their use of encryption or law enforcement may have found them and taken the website down that’s hosting the decryption key. But as I said previously, this is a business and they are keen to maintain their reputation, and anecdotal evidence suggests that paying the fee will result in you receiving the decryption key.

Option 3 depends on you knowing what’s on your PC and whether you care about it. You still need to disinfect your PC but that’s about it.

So what can you do to protect yourself from ransomware? To be honest, beyond the normal good practice of regularly applying security updates and running up to date antivirus software not a lot. The age old advice of avoiding ‘dodgy’ websites, whilst still valid is not sufficient as many mainstream websites are infected these days (often via their advertisers’ sites). Not clicking on unexpected email attachments or following unknown links in emails is also fundamental good practice but is no guarantee that you’ll be safe.

One thing you might want to consider is to remove the admin rights from your normal account and create a separate account that you only use for admin type things (such as installing software). Some of the ransomware relies on being the Administrator on the box, so if you are logged in as a ‘normal’ user then it won’t work, or at least will only work on those files you control. Not perfect, but something.

The bottom line is that you are in the same position as the rest of us in the Commercial world. You have to expect the attack and then plan your response and try and mitigate the impact.

What stuff on your PC do you care about? Unless you are running a business, it probably boils down to photos and music, with a few personal letters thrown in.

You should make sure that you have backup copies of these important things. My previous blog about the Cloud gives some suggestions, but you could also consider offline backups on USB drives, SD cards or whatever. The main thing is to have them somewhere that is not immediately accessible from your PC, so that if bad stuff happens you’ve still got those photos of great aunt Daisy’s 100th birthday.

So that’s it I’m afraid. Ransomware is here to stay and will get more effective and more prevalent as time passes. Using the Internet gets more like Russian roulette every day, bad stuff is out there and it’s likely to get you at some point. All you can do is do the basics right (many of which I’ve covered in previous blog entries), and know what you are going to do when it’s your turn to get hit.

Depressing? Probably, but like everything else, until the general public really cares about something, governments and business won’t pay attention and get the problems fixed. Internet security is bubbling to the surface but at the moment there is more lip service than customer service being paid to solving the problem. Whilst software companies can get away with writing poor code, ISPs can get away with not caring about what they are hosting and Joe Public continues to do stupid things Internet crime will continue on an upwards tick that shows no sign of flattening out anytime soon.

 

Safe surfing

 

David

 

 

 

 

Advertisements




Of Passwords and PINS (3)

8 02 2013

In the final part of this series I’ll look at PINs and what you can do to make them easier to remember.

PIN numbers, generally 4 digits, and used to validate debit and credit cards, lock your i-phone, access buildings, secure safes and all manner of  other things have become one of those things we all have to remember. The 4 digit card PIN only offers 10,000 possible combinations, so it’s not really that secure, which is why so many systems operate the ‘3-strikes and you’re out’ control. But why only 4 digits? For the answer you have to ask John Shepherd-Barron the inventor of the ATM. It seems that Mr Shepherd-Barron favoured using 6 digits, but his wife preferred 4!

In the same way as there are commonly used passwords (see the previous post for more details), there are some PINs which appear on an all too frequent basis. A recent analysis by Data Genetics revealed how unimaginative people are.  Over 10% of the PIN codes analysed were 1234, and 6% were 1111. The least common PIN was 8068, but probably best not to use that now as the bad guys can also read the reports.

Maybe you need a different approach. In the same way as you can have a memorable password, why not have memorable PINs? No! Not your birthday, or your partners birthday, or your house number, too many people already know them. But why not use the letters A through J to reflect the numbers 1 to 0, and create a combination that is meaningful to you? First four words of a favourite tune, initials of four family members, first four letters of you home town.

Most organisations which require you to have a PIN allow you to change them, usually on-line or at the ATM, so that’s not much of a chore, BUT, don’t change them all to the same value. Like passwords, it makes sense to have a variety of PINs, and to he honest you’re unlikely to have as many PINs as you have passwords (unless you collect credit cards as a hobby).

The standard instruction (as with passwords) is not to write them down, but again, as with passwords, there are variations on a theme. Clearly no-one would write in their diary: Barclaycard 1234; Amex 3456; M&S 4567 would they (pause whilst some readers tear page out of diary), but it is possible to be more discreet and still record those which you use less often in the same way as you can record passwords.

The frequently used ones you will remember because you use them everyday, especially if you have made the memorable in the first place.

Anyway, that’s enough on Passwords and PINs, next time I’m going to start on Social Engineering and how the bad guys WILL obtain those carefully protected pieces of information you have created.

Until then, keep safe and keep aware

David





Facebook and Security – part 3

13 08 2012

In the first two posts I told you how to use the Facebook security settings to protect your information and how to manage your ‘friends’ to ensure you are only sharing your innermost secrets with the people you think you are.
In this final post I’m going to return to areas I touched on briefly in the first post which are the Facebook Applications and advertising. Facebook is a commercial organisation, even more so since their flotation on the NYSE earlier this year, and as such they have to find ways of generating income from a service which “is free to join and always will be”.
Let’s start with the Applications. Many of you will be familiar with ‘Farmville’, ‘Fishville’, ‘Mafia Wars’, but you can also create virtual worlds in other areas, play poker, play slot machines and so on. Other Applications offer to tell your future, share birthdays with your friends, or let you see what’s happening in the news, all incredibly vital stuff I’m sure but as I’ve said before, nothing is free in this life.
Most of these applications are free to download, and the ‘only’ price is your agreement to let them post on your behalf, share your details with pretty much anyone they wish and pester you with requests. In return some of them let you give them your credit card details so that you can buy all of those wonderful upgrades that you never knew you needed. The problem is that by participating, you have agreed to the application becoming one of your friends, and we’ve already looked at what that can mean. Before signing up, have a quick read through what it is you are signing up to. Do you have any idea what this organisation is about, are they even who they say they are? Is your mailbox (the one you’ve registered with Facebook) going to be filled with spam, as they share your details with other organisations who will pay good money for ‘live’ e-mail addresses?
So two tips for managing Applications. Firstly, think before you click ‘accept’, or ‘agree’, you are about to make a complete stranger your Friend. Do you really want to do that? Secondly, have a regular review of what Applications you have signed up to. You do this by clicking that little downward pointing arrow in the top rightof the Facebook page and then selecting Apps on the left hand pane. A regular cull never did anyone any harm.
So now for the biggest earner of all, Advertising. Facebook knows everything about you; your name, age, sex, marital status, hometown, where you go, what you do and who you do it with. Who your friends are, possibly their birthdays, their friends, interests etc. etc. etc. This is marketing dreamland. Want to advertise a wedding service to someone living in Norwich? Facebook can identify everyone with a status of Engaged, select those living within say 20 miles of Norwich and post a link on their home page. Rather than me telling you how easy it is to do, why don’t I let Facebook? Follow this link to read all about it https://www.facebook.com/advertising/how-it-works. So why should you care from an Information Security perspective? Two main reasons, firstly the ease with which adverts can be created, means that you should not simply trust what appears on your Facebook page, as I said in an earlier blog, “on the Internet, no-one knows you’re a dog”, just because it looks like a duck, walks like a duck and quacks like a duck, on the Internet it could still be a Rotweiller. Secondly this should make you appreciate the implications of being too free and easy with your personal information. Information is power and money, I’m going to cover Social Engineering in a later post, but for now let’s just say that if someone comes across as credible then we tend to believe them. If something looks personalised we will tend to trust it. By using the information you have put on Facebook, the advertisers will be both credible and personalised, but are they trustworthy? Do you really want to follow that link to an advert written just for you and then give them your credit card details?

Anyway, that’s enough for today.
As always, if you have any thoughts or comments please share them, if you’ve enjoyed reading this then please click on the ‘share’ button below, and as always Safe Surfing

David





Facebook and Security – part 2

29 07 2012

In my last post I introduced you to the various ways you can use Facebook settings to control who can see your information. That is only part of the story however as it assumes you are effectively managing your Facebook community.
Before we go into the details, lets just step back from the virtual world and re-enter the physical one. How many friends do you have? By friends I mean people with whom you would normally share your thoughts and opinions, show your photographs and discuss films or TV programmes. People who are interested in what you have been doing and who you have been doing it with, and who care enough to stop what they are doing and listen to you. If you extend that to include family and work colleagues, the number will increase but the type of information you want to share will change. So, what’s the number? 10, 20, 50, 100 even? Now, how many friends do you have on Facebook? I bet that number is at least double the previous one, and therein lies part of the problem. Most of us are a lot more promiscuous online than we are in the real world, we make online friends much more easily, partly because it is less hassle and partly because we feel a peer pressure to appear popular. It’s probably not surprising, but the number of Facecbook friends varies according to your age. Those under 34 (Generation Y, and the Internet Natives) have over 300 on average, Generation X have around 200, and even the baby boomers (of which I’m one) still have over 150 Facebook friends. Incidenntally, I’m probably a frustrated Gen Xer as I’ve got over 200.
So you have over 100 FB friends, and every day you tell them about getting up, going to work, maybe suggest a good film or TV show, add a couple of witty anecdotes, post that photo your kid doing a wacky thing, and the photo of you throwing up after a good night out. Hang on, let’s rewind that last bit, you’ve just posted a photo of you throwing up? To 100 people, may of whom are work colleagues, maybe your boss? Not so sharp heh? Oh, and they can share it with their friends, and so on, and so on. And that is the real danger of Facebook, it’s not what you tell people it’s what they can do with what you told them. I’m sure you’ve read about kids telling their Facebook friends that their parents are going away and that they are having a small party, and hundreds turn up. Facebook is a social media tool, designed to share information with as many people as possible. Once you post, you lose control over the posting.
In the ‘real world’, if you tell a friend something in confidence, you can be reasonably comfortable that they would not share it because they are your friend. Plus, what you tell one friend may not be the same as what you share with another, as the relationships are different. On Facebook, you have two relationships, friend or not friend, and as we have already agreed, most of your Facebook friends are not actually friends at all (at least not in the ‘I will bare my soul to you’ manner). You have no idea what they will do with that bit of information you just gave them and probably not much idea of how they will react.
So what can you do? Firstly, review your Facebook friends. De-friending is becoming quite a trend at the moment. When was the last time you had any interraction with that person, electronically or physically? If you remove them from your list would you care?
Secondly, think before you post. Are you happy for what you are about to share being spread across the world, because even if you tie down the settings, there is still a real chance of it getting out, and don’t forget, there is no delete function on the Internet. If it’s out there it’s going to stay out there.
As with so much of Information Security, it always comes back to common sense. Be aware and be safe.

If you have any thoughts or comments on this blog, please feel free to share them.

Until the next time, safe surfing.

David





Facebook and Security

21 07 2012

Did you know that if Facebook was a country it would have the third highest population in the world? Why should you care? Well, if you get your privacy settings wrong you could be exposing your personal details, innermost thoughts and candid photographs to a community with more than twice the population of the USA.
Before we get into how you can manage your privacy on Facebook, it’s probably worth spending a little while looking at the ethos behind the company and the ideas of its founder Mark Zuckerberg. Whilst not wanting to put words into his mouth, Zuckerberg’s underlying philosophy is that people should share information about themselves, their interests and their communities. His dream is to create an ‘open information flow’. Whilst that may be commendable, in the early days he drew a lot of flak by making the default settings on Facebook ‘Public’ to help realise that dream. Whilst that has changed in recent months they do occasionally revert to type and bring in new functionality that shares everything with the world again. Not a good place to be if you care about your privacy.
So how do you go about checking what Facebook is revealing about you to the world? Your first port of call is to click on the little downward pointing arrow on the top right of the Facebook screen and to select ‘Privacy Settings’. That brings up a screen with a number of options, so lets work through them one by one.
First things first, set the ‘control your default privacy’ to ‘Custom’.
How you connect – this is the most basic level of connectivity with the Facebook world. Who can see your e-mail address and phone number, who can ask to be your friend and who can send you messages. Each of the options offers you three settings ‘Everyone’, ‘Friends of Friends’ and ‘Friends’. For what its worth I have all three of these set to ‘Everyone’.
Timeline and Tagging – now we’re starting to get a bit more intimite with the community. This is where you start sharing information you post, but also control who can post on your pages (which will also be shared don’t forget). I’m more cautious in this area so I have them set to ‘Friends’, except for the two ‘review’ options which I have turned off.
Adds, Apps and Websites – these are the areas where Facebook moves away from you and your world into a much more commercial arena (with you as the focal point). You are now entering the Marketing space and these people want to get your details. Some want to sell you things, some want your endorsement so that your friends will buy things and some are just plain criminal. Click on the first entry and you will see all of the things that you are allowing to access your Facebook details. Thought you had this tied up in the ‘Timeline and Tagging’ settings? Think again! When you clicked on that fun app which let you do something on Facebook and selected the ‘allow to share’ option (and of course you could not use it if you didn’t), did you realise that you have just exposed a whole heap of your details to an unknown company for them to do with as they wish? Have a wander down that list and delete those which you no longer want to be part of. Also, check the last two entries on this screen ‘Public Search’ and ‘Adverts’. The first reveals how much you are exposing to ‘strangers’ when they search for you via a search engine such as Google. the second is a classic Facebook activity’ “We aren’t doing this yet, but if we were this is what would happen”. I’ve set both of these to ‘no-one’. Back to the main list and the next option allows you to retrospectively limit past sharing activity.
Limit the audience for past posts – this is a ‘nuclear option’ but in essence it means that in one stroke you can remove all of the ‘friends of friends’ or ‘public’ access to historical posts. This can’t be undone in a single stroke though.
Blocked people and apps – this is where you can block the stalkers, or those persistant apps which keep trying to make you join them.
So there you have it. Privacy on Facebook is much more granular than it used to be, but you do need to keep an eye on it, just to make sure nothing has ‘reverted’ since you last checked.
In my next post I’ll dig deeper into the world of Facebook from an information security perspective, looking at steps you can take to protect yourself in your posts and sharing some of the Facebook disasters that continue to appear.
As always, if you have any thoughts or comments then please get in touch.

Until next time, surf safely.

David





Welcome

12 07 2012

Welcome to the first post on Information Security Made Easy, your window into the world of InfoSec and the simple steps you can take to help protect yourself from the bad guys.

This is not going to be a mega-technical geek haven, I want it to accesible to those who know enough to get themselves into trouble, but not enough to get themselves out.

Silver surfers are more than welcome, as are the newbies who are just getting online.

To get you started, here’s a useful link:

http://www.getsafeonline.org/

I’ll be adding more info over the coming weeks, so please come back and see what I have to say.








%d bloggers like this: